Hi Hrvoje, I'm also Cc: this message to Debian BTS (#740846) to keep track of this issue in case we need this info in the future.
Thanks a lot. Regards, On 03/05/2014 09:14 PM, Hrvoje Matijakovic wrote: > On Wed, Mar 05, 2014 at 08:43:51PM +0100, Dario Minnucci wrote: >> >> Hi Hrvoje, >> >> I'm in the way of closing CVE-2014-2029 in the Debian package and everything >> seems OK on version >> 2.2.7 (soon will be uploaded to 'unstable' and 'testing|jessie', thanks), >> but my question is about >> version 2.1.2 (currentrly in 'stable|wheezzy') >> >> >> Here it goes... >> >> >> By checking Percona Toolkit's Changelog file in >> 'percona-toolkit_2.2.7.tar.gz' I've found this: >> >> >> >> v2.1.4 released 2012-09-20 >> >> * ... >> * Implemented the version-check feature in several tools, enabled with the >> --version-check option >> * ... >> >> >> >> Can you please confirm if the CVE-2014-2029 was introduced in version >> '2.1.4' or is really present >> in version in previous versions (as '2.1.2'). >> >> If my assumptions are correct and CVE-2014-2029 was introduced in version >> '2.1.4', this means that >> version '2.1.2' (currently in 'stable|wheezy') is *NOT* vulnerable to this >> CVE and I'll be able to >> notify this to the Debian Security Team in order to update the Debian >> Security Tracker[0]. >> >> >> Thanks in advance. >> >> Regards, >> >> >> >> [0] >> https://security-tracker.debian.org/tracker/source-package/percona-toolkit > > Hi Dario, > > I've checked with our lead PT developer he confirmed that VersionCheck > was introduced in 2.1.4. LP milestone says that as well: > https://launchpad.net/percona-toolkit/2.1/2.1.4 > > Let me know if you need anything else regarding this, > > Thanks, > Hrvoje > -- Dario Minnucci <mid...@debian.org> Phone: +34 902884117 | Fax: +34 902024417 | Support: +34 807450000 Key fingerprint = BAA1 7AAF B21D 6567 D457 D67D A82F BB83 F3D5 7033
signature.asc
Description: OpenPGP digital signature